How do protection features in Microsoft 365 Business map to Intune settings

Android and iOS application protection settings

The following table details how the Android and iOS application policy settings map to Intune settings.

To find the Intune setting, while signed in with your Microsoft 365 Business admin credentials, go to Azure portal, then select More services, and type in Intune into the Filter, select Intune App Protection > App Policy.

Important: A Microsoft 365 Business subscription provides you with a license to modify only the Intune settings that map to the settings available in Microsoft 365 Business.

Click the Policy name you want to select, for example Application policy for Android, and then choose Policy settings.

Under Protect work files when devices are lost or stolen

Android or iOS application policy setting

Intune setting(s)

Delete work files from an inactive device after

Offline interval (days) before app data is wiped

Force users to save work files to OneDrive for Business

Note that only OneDrive for Business is allowed

Select which storage services corporate data can be saved to

Under Manage how user access Office files in mobile devices

Android or iOS application policy setting

Intune setting(s)

Delete work files from an inactive device after

Offline interval (days) before app data is wiped

Force users to save work files to OneDrive for Business

Note that only OneDrive for Business is allowed

Select which storage services corporate data can be saved to

Encrypt work files

Encrypt app data

Under Manage how user access Office files in mobile devices

Require a PIN or fingerprint to access Office apps

Require PIN to access

This also sets:

Allow simple PIN to Yes

Pin Length to 4

Allow fingerprint instead of PIN to Yes

Disable app PIN when device PIN is managed to No

Reset PIN when login fails this many times (this is disabled if PIN is not required)

Number of attempts before PIN reset

Require users to sign in again after Office apps have been idle for (this is disabled if PIN is not required)

Recheck the access requirements after (minutes)

This also sets:

Timeout is set to minutes

This is same number of minutes you set in Microsoft 365 Business.

Offline grace period is set to 720 minutes by default

Deny access to work files on jailbroken or rooted devices

Block managed apps from running on jailbroken or rooted devices

Allow users to copy content from Office apps into personal apps

Restrict cut, copy and paste with other apps

If the Microsoft 365 Business option is set to On, then these three options are also set to All Apps in Intune:

Allow app to transfer data to other apps

Allow app to receive data from other apps

Restrict cut, copy, and paste with other apps

If the Microsoft 365 Business option is set to On, then all the Intune options are set to:

Allow app to transfer data to other apps is set to Policy managed apps

Allow app to receive data from other apps is set to All Apps

Restrict cut, copy, and paste with other apps is set to Policy Managed apps with Paste-In

Windows 10 app protection settings

The following table details how the Windows 10 application policy settings map to Intune settings.

To find the Intune setting, while signed in with your Microsoft 365 Business admin credentials, go to Azure portal, then select More services, and type in Intune into the Filter, select Intune App Protection > App Policy.

Important: A Microsoft 365 Business subscription provides you with a license to modify only the Intune settings that map to the settings available in Microsoft 365 Business.﻿

Click the policy name you want to select, and then choose General, Assignments, Allowed apps, Exempt apps, Required settings, or Advanced settings from the left nav to explore the available settings.

Windows 10 application policy setting

Intune setting(s)

Encrypt work files

Advanced settings > Data protection: Revoke encryption keys on unenroll and Revoke access to protected data device enrolls to MDM are both set to On.

Prevent users from copying company data to personal files and force them to save work files to OneDrive for Business

Windows 10 device protection settings

The following table details how the Windows 10 device configuration settings map to Intune settings.

To find the Intune setting, while signed in with your Microsoft 365 Business admin credentials, go to Azure portal, then select More services, and type in Intune into the Filter, select Intune >Device configuration > Profiles. Then select Device policy for Windows 10 > Properties > Settings.

Windows 10 device policy setting

Intune setting(s)

Help protect PCs from viruses and other threats using Windows Defender Antivirus